Internet protocol security decryption with secondary use speculative interrupts

Abstract

A system for improved decryption performance includes a computer in electronic communication with an encrypted network. A controller performs a decryption operation on an encrypted packet received from the network, and the computer asserts an interrupt prior to the system completing transfer of the decrypted packet back to host memory to reduce the additional latency a packet suffers during Secondary Use. An additional interrupt may be asserted after the Secondary Use operation is complete, to ensure that the Secondary Use packet is processed. A method for improving decryption performance similarly includes asserting an interrupt prior to the complete transfer of a decrypted packet from a controller back to host memory during Secondary Use. The method may further include asserting an additional interrupt after the Secondary Use operation is complete, to ensure that the Secondary Use packet is processed.

Description

BACKGROUND OF THE INVENTION[0001]1. Field of the Invention[0002]The present invention generally relates to encrypted networks. More particularly, the present invention relates to a system and method for improving the performance of an encrypted network by asserting interrupts to reduce latency that packets suffer during Secondary Use.[0003]2. Discussion of the Related Art[0004]Internet Protocol Security (“IPSec”) is employed to protect both the confidentiality and integrity of data that is transferred on a network. Because IPSec provides a way to encrypt and decrypt data below the transport layer (e.g., Transmission Control Protocol, “TCP” or User Datagram Protocol, “UDP”), the protection is transparent to applications that transfer data. Thus, no alterations are required at the application level in order to utilize IPSec. However, when implemented in software, the algorithms used for encryption, decryption, and authentication of the data for IPSec require execution of numerous CPU ...

AI Technical Summary

Problems solved by technology

However, when implemented in software, the algorithms used for encryption, decryption, and authentication of the data for IPSec require execution of numerous CPU cycles.

This configuration adds latency to received data reaching the application, thereby decreasing the throughput of the system.

An extra interrupt is often required to perform these transfers across the bus.

However, such interrupts increase CPU utilization.

Furthermore, the extra latency introduced can degrade throughput of protocols that are sensitive to the round trip time of packets, such as TCP.

However, Inline Receive is more expensive to implement because the keys and matching information for cryptography operations must be stored on the network interface in an SA cache.

Due to such limitations, the INTEL PRO / 100 S Server Adapter, for example, supports only a limited number of connections that can use Inline Receive.

The primary source of the increased latency for Secondary Use is the delay related to the final interrupt of the Secondary Use operation.

Early ingress interrupts have been used on low speed buses where the transfer operation was expensive.

With the advent of busmasters in peripheral component interconnect (“PCI”), this use of early interrupts for any traffic has become scarce.

This utilization, in turn, reduces the packet rate that can be processed, further reducing or eliminating the utility of the interrupt coalescing algorithms.

Images